Using namespace-scoped custom resources
The advanced configuration options explained on this page require an existing helm-based deployment on K8s with CRD version v1beta2. See here for instructions: Install Using Helm - new flow (beta)
open-appsec's default custom resources, which are used for the declarative configuration when locally managing open-appsec, are cluster-scoped custom resources, which means they are not associated with a specific namespace but instead defined on cluster level.
In certain deployment scenarios, you might only have access to a specific namespace and do not have the permission to deploy any cluster-scoped custom resources on a given Kubernetes cluster. Or you might be an MSSP who only provides one or more dedicated namespaces to your customers.
Beginning with the open-appsec CRD version v1beta2 for Kubernetes, open-appsec now supports also namespace-scoped custom resources for the configuration as an alternative to the default cluster-scoped custom resources.
Using namespace-scoped custom resources
When you deploy open-appsec using helm, you can optionally set appsec.crdsScope attribute to namespaced as shown below to configure open-appsec for applying the configuration declaratively defined in namespace-scoped open-appsec custom resources instead of the regular cluster-scoped custom resources.
open-appsec, starting with v1beta2, provides every custom resource in two versions, a cluster-scoped version and an alternative namespace-scoped version.
Once you have set crdsScope to namespaced for you open-appsec deployment as explained above, make sure to provide the desired configuration for that specific deployment using the dedicated namespace-scoped CRDs, as shown in the examples below.
Namespace-scoped custom resources must reside in the exact same namespace, in which also the open-appsec agent is deployed, in order to be applied by an agent which is set to CRD scope namespaced.
Examples:
To define cluster-scoped custom resources for defining an open-appsec policy, use kind:
Policy
To define namespace-scoped custom resources for defining an open-appsec policy, use kind:
PolicyNS
To define cluster-scoped custom resources for defining a threat prevention practice, use kind:
ThreatPreventionPractice
To define namespace-scoped custom resources for defining a threat prevention practice, use kind:ThreatPreventionPracticeNS
The same naming pattern applies to all other custom resource definition types which open-appsec supports for declarative configuration.
Last updated
Was this helpful?